An aquaintance took exception to some of the remarks made in the commentary of The Coleman Report that I wrote about last week.
In his email to me he wrote:
If you think that private sector business is any better at protecting its information assets then I’d like to suggest that you’re wrong. UK Government has a bright spotlight always focused on it, so when things do go wrong (and they inevitably will, because it’s all about probabilities) then there’s a huge public and media outcry. Experience tells me that numerous large UK PLCs have had similar size and scale incidents, the only difference being that these breaches rarely make it into the bright public spotlight.
You can’t make a blanket statement that capabilities regarding information security are poor right across government. There are some excellent cases of information risk managed agencies and departments out there.
I don’t disagree and, to be fair, The Coleman Report also makes the point that Government is driving forward professionalism in Information Assurance. There is a high variance in skills and experience. I chose, in my commentary, to focus on the challenges. We don’t hear about the positive work being done because those departments wont be having data breaches being reported in the news.
I’m all for writing about good examples of security management – I see plenty – but it’s much more interesting, and fun, to write about the mishaps. The important point is that we should be learning from both.